Monday, September 16, 2013

Post-mortem: bitcoin stealing attack against LocalBitcoins

There was an attack against LocalBitcoins.com on Friday 13.9.2013 to steal bitcoins from the wallets of LocalBitcoins.com users. Thanks to the responsive LocalBitcoins community, the attack was quickly detected, the support team was notified and the attack was blocked. All affected users have now been reimbursed for their losses.

A user using a relatively old LocalBitcoins.com user account sent maliciously file attachments through LocalBitcoins.com internal messaging to the traders. People opening the attachment might have lost bitcoins they had in their LocalBitcoins wallet. This was due to an error in LocalBitcoins.com messaging system which should block all kind of malicious file attachments. Total 82 bitcoins was stolen.

Only the users who had not enabled two-factor authentication were affected. LocalBitcoins.com always reminds the users who have bitcoins in their wallet to enable two-factor authentication which protect against both technical and social account hacking attempts.

LocalBitcoins.com security has now been strengthened and similar attacks are not possible in the future. LocalBitcoins.com internal messaging is safe and the users are encouraged to use it. People should be always very careful when communicating outside localbitcoins system.

LocalBitcoins reimbursement policy

LocalBitcoins credits the lost bitcoins to its users when there is a clear error in LocalBitcoins.com service, allowing somebody who is not authenticated on the site to access the wallet.

LocalBitcoins.com does not credit the lost bitcoins when the loss is caused by the actions of user. Usually actions like this include, but are not limited to,

Giving username and password to some external (phishing) site or losing the control of the password when having the computer infected by malware.

Releasing bitcoins from an escrow to a buyer even though the payment is not properly confirmed and cleared.

LocalBitcoins.com cannot protect the users against phishing and file attachment attacks outside LocalBitcoins.com service. Thus, always be careful when opening emails, SMS messages, links and attachments coming directly from another person. Always enable the two-factor authentication when you are actively dealing with bitcoins on any services you are using.

Attack details

The attack was performed by uploading a specially crafted image file. The file attachment had PNG image file headers, but contained HTML payload and .htm extension. The HTML payload included JavaScript code performing HTTP POST request to send bitcoins out from LocalBitcoins wallet.

LocalBitcoins.com uses Django web framework which includes security features to block invalid image uploads. However, in this particular case, the image verify method let the specially crafted file through because it contained valid PNG headers. The standard Python Imaging Library verify method does not check for extra payload at the end of image file.

When the web browser downloaded the file, it interpreted the attachment as a HTML file, even though the beginning of the file was garbage due to PNG headers.

Because the file was served from LocalBitcoins.com domain, the download was considered as safe and it passed through cross-site request forgery protections.

When the user opened the attachment, the web browser executed JavaScript inside the file and managed to perform a Send from wallet action if the two-factor authentication was not enabled. With two-factor authentication an additional security code is needed to execute a wallet transaction.

Actions taken to prevent further attacks

Since the attack, LocalBitcoins.com team has strengthened the site security with additional layers to prevent similar attacks in the future.

Uploaded image files are rewritten to be clean image files, so that any extra payload or codec bug exploits in the web browsers are not possible.

Extra checks are performed to make sure that the image content matches the attached file extension.